Analysis Report afdab907_by_Libranalysis

Overview

General Information

Sample Name:	afdab907_by_Libranalysis (renamed file extension from none to xls)
Analysis ID:	412299
MD5:	afdab90737c55a669e7025df2fa86efe
SHA1:	39a056a263368dcb1fb98a2226eae7c9d1488453
SHA256:	d61e90fe268528db7a0eee66f064270a519b2843a59642923b137ec2b81fe5e2
Tags:	SilentBuilder
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document contains embedded VBA macros

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Classification

Signatures

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49170 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: signifysystem.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.39.58:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.39.58:443

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 192.185.39.58 192.185.39.58
Source: Joe Sandbox View	IP Address: 192.185.32.232 192.185.32.232

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: signifysystem.com

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49170 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, pleas ' RunDLL
Source: Screenshot number: 8	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 2 Once You have Enable Editing, please click
Source: Screenshot number: 8	Screenshot OCR: Enable Content 14 , from the yellow bar above 15 D e 16 17 I 18 I WHY I CANNOT OPEN THIS DOCUME
Source: Document image extraction number: 5	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 5	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Source: Document image extraction number: 14	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Document image extraction number: 14	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? w You are using IDS or

Found Excel 4.0 Macro with suspicious formulas

Source: afdab907_by_Libranalysis.xls	Initial sample: CALL
Source: afdab907_by_Libranalysis.xls	Initial sample: CALL
Source: afdab907_by_Libranalysis.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: afdab907_by_Libranalysis.xls

Initial sample: Sheet size: 14902

Document contains embedded VBA macros

Source: afdab907_by_Libranalysis.xls

OLE indicator, VBA macros: true

Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal68.expl.evad.winXLS@5/11@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\8AEE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE0FB.tmp

Jump to behavior

Source: afdab907_by_Libranalysis.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.39.58	signifysystem.com	United States		46606	UNIFIEDLAYER-AS-1US	false
192.185.32.232	fcventasyservicios.cl	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
signifysystem.com	192.185.39.58	true
fcventasyservicios.cl	192.185.32.232	true

ID:	412299
Product:	CloudBasic
Start time:	15:38:59
Start date:	12.05.2021
Sample:	afdab907_by_Libranalysis
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	afdab90737c55a669e7025df2fa86efe
SHA1:	39a056a263368dcb1fb98a2226eae7c9d1488453
SHA256:	d61e90fe268528db7a0eee66f064270a519b2843a59642923b137ec2b81fe5e2
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 59863 bytes, 1 file	15775D95513782F99CDFB17E65DFCEB1	6C11F8BEE799B093F9FF4841E31041B081B23388	477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	022B42B850FFEBEBE0589A8F55778533	4D43F0391DF0E3052593F463060C1B774CFD4EBC	56179A6C3991401CD80D817F330A23341F9766568364E72BEE43C0ABD441C9FD
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	81506943EB48801C4C2D3CEF39C2010C	3CE4DE32C06BDFD98964FF936BF5D8A9724EDE28	D77D0D4C926CB389757FAF7B7F7E3C43281C85647500B770292322A52445819B
C:\Users\user\AppData\Local\Temp\C9EE0000	data	23A16496A774D2664ED6876017BC8368	9E58C1F6CEB9821853B0F1529FF2714492BFE392	CEB3E85D6F09EA5574D2D8EBDF9C0FF6B281D9F83B6E938406127899465C3AC3
C:\Users\user\AppData\Local\Temp\CabF3F1.tmp	Microsoft Cabinet archive data, 59863 bytes, 1 file	15775D95513782F99CDFB17E65DFCEB1	6C11F8BEE799B093F9FF4841E31041B081B23388	477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
C:\Users\user\AppData\Local\Temp\TarF3F2.tmp	data	78CABD9F1AFFF17BB91A105CF4702188	52FA8144D1FC5F92DEB45E53F076BCC69F5D8CC7	C7B6743B228E40B19443E471081A51041974801D325DB4ED8FD73A1A24CBD066
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed May 12 21:39:45 2021, atime=Wed May 12 21:39:45 2021, length=8192, window=hide	5D80191D1F8BE805F706CAD750FD63D4	1E6BBB6393856DBB1136512606BD3A79F57B9BDE	15DBD6C98EDA34B58D3355DA5E7331B6D78D253D5C8CE516ED7FA25B6FCCE579
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\afdab907_by_Libranalysis.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed May 12 21:39:31 2021, mtime=Wed May 12 21:39:45 2021, atime=Wed May 12 21:39:45 2021, length=174080, window=hide	A2B52A062F02B93414CD76DBA84FE6BA	94819835438CCA230B3089AF9C8767CFFE9F1C9F	A2B21D42B3AEA8FAEEE48A308990A1405E694B3A0B8C37C1ECF49E52684718E6
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	85121F807F772BC7FB4410CA5583907A	D7A223F4FE7FDEA95B5CC43B0BD686A3CD98CC1E	BE44E6D35861347BCB4FDB71496734B6ECDA5B6C6EB8C4FA1D5311ED47AFDC7A
C:\Users\user\Desktop\8AEE0000	Applesoft BASIC program data, first line number 16	BCA119A696B5DE6D548CB8CCE7879077	7286340EAEF35B14B19777A001E4F877DA9F1821	E9FA2130843779019E39BBA6D422E16AA110F8CA81602858881E0C8808C6A23C

Analysis Report afdab907_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains